From saas-alerts
Use this skill to triage SaaS Alerts security alerts across managed M365 / Google Workspace tenants — ranking by severity and tenant impact, separating true positives from noise, and producing a shift-ready response plan.
How this skill is triggered — by the user, by Claude, or both
Slash command
/saas-alerts:triageWhen to use
When sweeping and prioritizing the SaaS Alerts queue across tenants and deciding what to escalate. Use when: triage saas alerts, saas alerts queue, prioritize saas alerts, or m365 security alerts.
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Triage means sweeping the alert queue across all managed customers,
Triage means sweeping the alert queue across all managed customers, ranking by severity and customer impact, separating true positives from noise, and handing the on-shift analyst a prioritized, actionable plan. The SaaS Alerts MCP surface is well-suited to this: event queries are customer-scoped or cross-tenant, severity is a first-class filter, and recommended actions are machine-generated per alert.
| Tool | Role in Triage |
|---|---|
saas_alerts_status | Confirm gateway + upstream connectivity before the sweep |
saas_alerts_customers_list | Enumerate all managed customers |
saas_alerts_events_query | Pull events filtered by severity and time window, per customer or all |
saas_alerts_events_query_advanced | Cross-tenant pattern queries (impossible travel across tenants, bulk sign-in anomalies) |
saas_alerts_recommended_actions | Fetch vendor-generated remediation steps for a specific alert |
saas_alerts_users_get | Attribute an event to a specific user for context |
saas_alerts_devices_get | Attribute an event to a specific device |
saas_alerts_status — confirm connectivity.saas_alerts_events_query with alert_status: critical and a
24-hour window across all customers.saas_alerts_recommended_actions to
surface remediation guidance.saas_alerts_users_get if a
user ID is present.saas_alerts_customers_list → select the target customer.saas_alerts_events_query scoped to customer_id for the last 7 days.alert_status, top event types, affected users.saas_alerts_events_query_advanced with a pattern filter (e.g.,
impossible_travel or bulk_delete) across all customers.| Level | Meaning | Default Disposition |
|---|---|---|
critical | High-confidence attack or active compromise | Investigate immediately; escalate to client |
medium | Suspicious but may be legitimate; needs review | Review within shift |
low | Informational or likely benign | Batch review; lower priority |
Always start with critical. Do not skip medium — attackers often
generate medium-severity events as precursors.
saas_alerts_events_query returns no
events for a customer, that is the correct answer. Do not fabricate
alerts. The emptyGuard isError signal in the MCP server will surface
if the tool call itself failed rather than legitimately returning empty.saas_alerts_customers_get for whitelist configuration.saas_alerts_recommended_actions
output — the analyst should not have to make a separate tool call.set_whitelists, customers_update) must be
confirmed with the operator before execution.npx claudepluginhub wyre-technology/msp-claude-plugins --plugin saas-alertsGuides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Manages knowledge base ingestion, sync, and retrieval across local files, MCP memory, vector stores, and Git repos. Use for saving, organizing, deduplicating, or searching knowledge.